Friday, April 19, 2024

Mashford's Musings

My thoughts and experiences from working within the Microsoft Cloud.

Uncategorised 

New Azure Active Directory resilience features: action required

Anthony Mashford 0 Comments

Howdy folks,

If you are federating a separate identity system with your Azure Active Directory tenant, such as Active Directory Federation Server (ADFS), this blog post is for you!

Were totally committed to maximizing Azure Active Directory service availability. As part of that commitment were adding more resilience features over the coming months. For most users, especially those who authenticate directly with Azure Active Directory, these benefits are completely transparent and just automatically deliver more reliability. However, organizations that use another identity system federated to Azure Active Directory for user authentication will need to make some configuration changes to see the benefits. This post will provide you with the information you need to make the necessary changes and take full advantage of these enhancements.

The new Azure Active Directory features will enable an additional layer of failover. I’ll blog more about these new features in the coming weeks, but if you want to get them benefits of the extra availability they provide, your federation server needs to be configured to accept requests from additional URLs. If these URLs are not configured there is no impact compared with today, but the users of the federated system wont see the additional resilience benefits.

Running ADFS with AD Connect?

If you are running ADFS and AD Connect then AD Connect will make these changes for you and you dont need to take any action. You can use the information in this post, however, to check that the ADFS configuration has been updated.

ADFS without AD Connect?

If you are running ADFS without AD Connect or a different IdP federated to AAD, you will need to make the configuration changes yourself, and you can do that now, so your systems are ready to go.

Below youll find:

  • The new URLs that should be configured as valid endpoints on Identity Providers federated with AAD

  • Specific instructions for manually making the configuration changes to ADFS

  • How to check that your ADFS configuration has been updated if you have AD Connect set up in your environment

  • How to roll-back the ADFS changes (if you need to)

New endpoints required in Relying Party Trust Configuration

Your federated identity provider will need to handle the following set of reply URLs in the Relying Party Trust configuration:

https://stamp2.login.microsoftonline.com/login.srf
https://ccs.login.microsoftonline.com/ccs/login.srf
https://ccs-sdf.login.microsoftonline.com/ccs/login.srf

Specific instructions to update ADFS

Use PowerShell to update your ADFS configuration. This needs to be done on one ADFS node.

For Windows 2008 and earlier systems you may need to load the ADFS powershell module if you havent already done so.

$rp = Get-AdfsRelyingPartyTrust -Name urn:federation:MicrosoftOnline
$endpoints = New-Object System.Collections.ArrayList
if ( $rp.AdditionalWSFedEndpoint ) { $rp.AdditionalWSFedEndpoint | %{$endpoints.add($_)} }
$endpoints.add("https://stamp2.login.microsoftonline.com/login.srf")
$endpoints.add("https://ccs.login.microsoftonline.com/ccs/login.srf")
$endpoints.add("https://ccs-sdf.login.microsoftonline.com/ccs/login.srf")
set-adfsrelyingpartytrust -targetname $rp.Name -AdditionalWSFedEndpoint $endpoints

Checking your ADFS configuration

To verify current settings use the PowerShell command:

Get-AdfsRelyingPartyTrust

Rolling back

If you need to roll back your changes for any reason, heres how to do that in PowerShell:

$rp = Get-AdfsRelyingPartyTrust -Name urn:federation:MicrosoftOnline
$endpoints = New-Object System.Collections.ArrayList
if ( $rp.AdditionalWSFedEndpoint ) { $rp.AdditionalWSFedEndpoint | %{$endpoints.add($_)} } 
$endpoints.remove("https://stamp2.login.microsoftonline.com/login.srf")
$endpoints.remove("https://ccs.login.microsoftonline.com/ccs/login.srf")
$endpoints.remove("https://ccs-sdf.login.microsoftonline.com/ccs/login.srf")
set-adfsrelyingpartytrust -targetname $rp.Name -AdditionalWSFedEndpoint $endpoints

Wrapping up

We strongly encourage you to take advantage of these changes to maximize the reliability of your system. Have feedback or thoughts about these changes? Wed like to hear them. Please share with us in the comments below. We look forward to hearing from you!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division


Source: EM+S Blog Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.